Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

MasterCard

Merchant sues VISA. Biting the hand that feeds you?

I know that if there were no merchants there would be no credit card companies and I know that the “alternative” payments market is growing, such as PayPal and V.me, but at this time it is fair to say that consumers still favour credit cards when it comes to online payments.

This is why when I read about a merchant suing a credit card company I was surprised. Not surprised that VISA had fined a merchant, not surprised that a merchant was upset at being fined but surprised it had got to court because that means normal reasonable commercial communication channels had failed.

On the 7th March Sports retailer Genesco filed a lawsuit against Visa to recover nearly $13.3 million in fines that the credit card company issued in January 2013 following a breach of the retailer’s systems.

The lawsuit argues that

  • Visa is not allowed to require other companies to pay penalties citing Visa’s own operating regulations and California law.
  • That Genesco was never out of compliance with PCI DSS regulations, and so it should not have been fined.

In December 2010 Genesco confirmed that a breach had happened within its credit card processing environment and speculation at the time was the hackers used a packet sniffer to siphon card data as it passed through the network.

The initial VISA fines of $5,000 via each of Genesco’s two banks was issued in June 2011 which is a standard charge and depending on your location will be 5,000 of the local currency for example, $5,000, €5,000 or £5,000.

Irrespective of the currency 5,000 is nothing more than a formal acknowledgement that the merchant is non-compliant to PCI DSS or was at the time.

If a merchant has never successfully completed an Audit or Self Assessment Questionnaire (SAQ) then they are non-compliant, bearing in mind that the standards were issued almost 8 years ago I think it is about time they were compliant.

However, in the case of a merchant who was successfully audited but then had a breach or failed to maintain the standard it is not so black and white.

Merchant who suffers a Data Breach

A PCI DSS compliant merchant who has a data breach is normally discovered by clever algorithms used by the card schemes, which based on fraudulent activity find the centre of the breach. Once the merchant at the centre of the breach is established they are required to undertake data forensics by an approved forensic company who using extensive skills and tools will establish how the credit card data was stolen for example via packet sniffing. The forensic report is shared between the affected parties, the merchant, the bank and the credit card companies.

The results of the forensic investigation may or may not show that the merchant had or had not been compliant to the standard at the time of the breach. It is reasonable to assume that the bad guys installed software or broke into Genesco and almost all scenarios for such a break in are covered by the PCI DSS and therefore the company could not have been taking adequate steps and was by definition not adhering to the requirements of the standard which means they were not compliant.

Merchant who fails to maintain the standard

It is very difficult to find a merchant who has failed to maintain the required standards unless

  • There is a breach
  • There is a whistle blower
  • A customer or someone similar notices practise that do not appear secure

At this point the merchant will be required to prove there are still abiding by the standard which may take the form of a forensics investigation, an audit, a letter from their QSA or a letter from their directors.

The non-compliance fine is not the biggest problem for Genesco it is the $13.3 million fine levied by VISA via Genesco’s two banks (Wells Fargo $12 million and Fifth Third $1.3million) for the costs incurred by VISA whilst resolving the breach e.g. credit card replacement, fraud cover, etc.

Visa’s imposition of the (fines) is a violation of Visa’s contract (with the banks), because at the time of the intrusion and all other relevant times, Genesco was in compliance with the PCI-DSS requirements,” the lawsuit stated. It added later,

“Visa does not even pretend that the Non-Compliance Fines represent actual damages that Visa incurred by reason of the Acquiring Banks‘ alleged failure to cause Genesco to maintain compliance with the PCI-DSS requirements”

The interesting thing for me is the nature of the way Merchants use VISA, MasterCard and the other credit card providers. The credit card company provides the facilities for the merchant’s (retailer) customers to buy from them in a secure and efficient way. They pay a percentage of the transaction to cover the costs (and profits) of the credit card companies and this percentage is agreed in a contract. The same commercial contract that agrees the other terms and conditions including the security required to perform the transaction.

To avoid confusion and rogue traders the credit card companies created the Payment Card Industry Security Standards Council who took the best security practises from the five credit card company members to create the Data Security Standard (PCI DSS).

This standard is an extension of the contract as will be the agreements for fees.

However because the cost of a data breach could never be known until it has occurred it is impossible to quantify the cost of a breach in a contract which is where I do have a great deal of sympathy for merchants because they are agreeing to fines but have no idea how much it is going to be or could be.

I remember in a meeting with several of the card companies and the discussion centred on repeat offenders i.e. merchants who kept being breached or who refused to become compliant to PCI DSS and whilst fines were mentioned it was agreed merchants might be tempted to absorb small fines if it was cheaper than achieving the required security standards and then the ultimate sanction was raised… STOPPING THEM FROM TAKING CREDIT CARD PAYMENTS.

What a sanction that is, because for almost all e-commerce business and most consumer driven business that would mean going out of business in a matter of weeks or possibly months.

As a consumer all I care about is being safe from the costs of the fraudulent activity against my stolen credit card but increasingly we as consumers are worried about the threat to our identity and expect when credit card details are leaked to be covered for all identity based threats resulting from the possible loss of data which increases the cost to the breached company, possibly via the credit card company.

I have a huge amount of sympathy for Genesco and every other merchant affected by a breach because they do not know what the possible cost to them will be. They cannot take out cyber-insurance against a specific amount “just in case”, they have to hope that the loss to the credit card company is not too great.

That is not a great way for a merchant to mitigate its risk and that cannot benefit the card companies who want prosperous and secure merchant to help them grow their profits.

The solution is simple, the credit card companies have to introduce and publish a schedule of fines from which a merchant can calculate their risk.

If a merchant knows, based on their transaction rate, that they could be liable for fines of $13.3 million then they can invest greater resources into breach prevention or seek to undertake insurance against the cost of a breach either way they can make an informed risk assessment.

Similarly if merchants who have not yet completed their PCI DSS compliance process know they could be fined for non-compliance PLUS X or Y for a breach they can will very quickly run a risk assessment.

let’s hope a result of this action is a clearer picture on fines because clarity in business and risk is essential.

.

Advertisements

PCI Security Standards Council continues focus on mobile payment acceptance security

The PCI Security Standards Council (PCI SSC) is participating in a Congressional hearing titled “The Future of Money: How Mobile Payments Could Change Financial Services,” held by the Subcommittee on Financial Institutions and Consumer Credit.

Representatives include the:

  • Atlanta Federal Reserve
  • MasterCard
  • Smart Card Alliance
  • The Consumer Union

The PCI Security Standards Council Chief Technology Officer Troy Leach served as an expert panelist, providing insight into security considerations when it comes to payment acceptance using mobile technology, as well as the Council’s work to date and future plans in this area.

The hearing is the first in a series of three designed to examine the technology:

  • by which mobile transactions are conducted
  • identify potential security problems
  • regulatory barriers that consumers, merchants, and financial institutions might face when using mobile payment services
  • consider whether statutory changes are necessary as mobile payment systems become more widely available and are increasingly used.

Participation in the hearing comes as part of the Council’s and its stakeholders’ focused efforts in the area of mobile acceptance security.

The area of mobile payments includes two different environments for the use of mobile devices:

  1. merchant acceptance applications, phones, tablets and other mobile devices are used by merchants as point-of-sale terminals in place of traditional hardware terminals
  2. consumer facing applications where the phone is used in place of a traditional payment card by a consumer to initiate payment

The Council’s security efforts to date in this area have been concentrated on the first environment, securing the use of mobile devices as a point of sale acceptance tool.

 “Mobile technology offers exciting potential to the payments space,”

said Troy Leach, chief technology officer, PCI Security Standards Council.

 “To help realize this securely, the Council is working with its global stakeholders to develop the industry standards and resources necessary for the protection of cardholder data across all payments channels, and for the reduction of fraud for consumers and businesses globally.”

In 2011, the Council issued guidance on the types of payment applications that can allow organizations to accept and process payments securely using mobile technology, including a checklist resource to help explain simply and succinctly to anyone currently considering mobile acceptance solutions which types of application support PCI Standards.

The Council also identified the types of applications that fall short of security standards for secure mobile acceptance. In collaboration with industry subject matters experts, including software application developers, the Council is continuing to examine this area to determine whether the inherent risk of card data exposure in these applications can be addressed by existing PCI Standards, or whether additional guidance or requirements must be developed.

Compliance by device vendors with these requirements now allows merchants to use plug in devices with mobile phones to swipe cards securely by first encrypting the data at the point that the card is swiped to minimize risk by making it unreadable. The mobile device acts as a conduit and has no ability to decrypt the encrypted data.

In the coming months the Council plans to release specific guidance for merchants on how to effectively use these security requirements in conjunction with encryption technology to more easily and securely accept payments using mobile technology.

Later this year the Council will also produce a best practices document for securing mobile payment transactions.

PCI and mobile payment security will be a topic of discussion at the Council’s Annual Community Meetings scheduled for

  • September 12-14 in Orlando, Florida
  • October 22-24 in Dublin, Ireland – if you are going to Dublin see you there

.

PayPal, Payments and PCI

The logo of Ingenico SA

Ingenico has announced a partnership with PayPal which will enable merchants with Ingenico POS devices to accept PayPal payment options, read the press release here.

Ingenico and PayPal have each made statements on the relationship:

“Today’s savvy shoppers want the option to choose how they pay for goods and are agile enough to easily switch between multi-shopping platforms. Our goal, as one of the key POS device and solutions providers, is to equip merchants with a versatile secure platform capable of accepting and handling diverse forms of payment,” said Thierry Denis, president of Ingenico North America. “By working with PayPal to bring their payment solutions to offline retail, we will naturally empower both the merchant, by providing a better way to connect with its shoppers to generate incremental sales, and the shoppers by adding speed and convenience at the checkout combined with expanded payment options. This relationship enables us to offer the most advanced solution for today’s practical shopper”

“PayPal’s vision for the future of shopping includes people making purchases anytime, anywhere and over any device. Ingenico is helping PayPal realize this vision by putting PayPal in stores and at the point of sale,” said Don Kingsborough, vice president of retail and pre-paid products. “Millions of PayPal users will soon have several innovative ways to make purchases at many of their favorite retailers, including using Ingenico terminals to swipe their PayPal payment cards or to enter the mobile phone number and pin associated with their PayPal accounts.”

Walt Conway a prominent QSA and manager at 403Labs commented:

The first question is, if a PayPal card triggers a transaction on an underlying Visa or MasterCard, might that PayPal account be considered a “high-value token” and, therefore, be in scope for PCI? The follow-up question is, if the PayPal account is in scope, is it necessarily a big deal?

I read the piece about Home Depot letting shoppers pay in-store using PayPal:

“On the payment front, this is also a test of Home Depot accepting a rectangular magstripe card that doesn’t say MasterCard, Visa, American Express, Discover or Home Depot on it.”

Separately, I saw where Ingenico launched a new PayPal offering. It enables PayPal users to make retail purchases (using Ingenico terminals, of course) by swiping their PayPal payment cards or entering the mobile phone number and PayPal PIN. Because many (although not all) PayPal accounts are tied to an underlying payment card, which is in scope for PCI, and because using such a PayPal account ultimately triggers a payment-card transaction, would PayPal in this case fit the PCI Council’s definition of a high-value token?

A high-value token is a new concept the PCI Council introduced and defined in its PCI DSS Tokenization Guidelines. Specifically, the Council defines a high-value token as one that “could potentially be ‘monetized’ or used to generate fraudulent transactions.” The guidance goes on to say: “Additionally, tokens that can be used to initiate a transaction might be in scope for PCI DSS, even if they cannot directly be used to retrieve PAN or other cardholder data.”

PayPal accounts were not designed to be tokens. However, because a stolen or compromised PayPal account could be used to generate fraudulent transactions, that PayPal account appears to act like not just any old token but a high-value token. The PCI Council states that high-value tokens may be in scope for PCI and, at the least, they require “additional controls in place to detect and prevent attempted fraudulent activities.”

Let’s move on to the second question. If a retailer (or its acquirer or QSA) considers PayPal accounts to be high-value tokens, does it matter? For many merchants, the PayPal transactions will use the same devices, networks and procedures that are already in scope for PCI.

Therefore, there might be no significant impact of PayPal acceptance for a retailer with a PCI-compliant POS system. Things might get complicated when the merchant stores the cardholder data, in which case the PayPal account information may expand the scope of data to be protected.

Thank you Walt for permission to use your excellent work.

Can Tokenization help to reduce the risk of fraud involving Credit Cards?

When it comes to protecting sensitive data, especially credit card data, an organisation needs protection in place because it is a constant battle against a variety of attacks with the two greatest foes being:

  • Social Engineering (e.g. preying on employees or customers)
  • Technology (hackers, viruses, etc.)

Social Engineering can be addressed by implementing regular training, professional management and monitoring, but Technology is a different story.

Technology is an on-going battle with thousands of new attacks being developed every week, e.g. viruses, Trojans, code breaches (e.g. SQL injections), etc.

New attack vectors require new defences, just like in fencing as one fencer makes a move the other needs to counter.

Security moves and counter moves cost time and money, especially when you consider that potential weakness could be in any device on the network e.g. phone systems, servers, BYOD, printers, etc. In a flat or non-segmented network one breached device could potentially lead to the breaching of all devices.

If multiple devices and applications require access to credit card data, e.g. CRM and Customer billing, the scope of risk is far greater which is why reducing the scope of the risk is so important.

Tokenization can dramatically reduce the scope by changing credit card data, and other sensitive information, into usable data that contains no Personally Identifiable Information (PII) or Credit Card data. The original data is then stored in a “data vault” which has strong encryption wrapped around it.

For some companies Tokenization has reduced the risk-points from several dozen to one and if placed in the “cloud” could place the organisations technology and infrastructure out of PCI DSS’s scope.

For details on reducing the scope of PCI DSS see my other post Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data

For a copy of the guide “Tokenization for Dummies” click here.

.

midata kicks off with the support of government and businesses

The UK Government has announced a ground-breaking joint venture with 26 organisations to empower consumers to have more control over their personal data.

midata, launched on the 3rd November 2011, is a voluntary scheme that will allow consumers to access their data in a safe and secure way and make better decisions reflecting their personal wants and needs. New services made possible by midata will further assist consumers, whether it be in getting the best deal on their mobile phone contract or energy tariff, or managing their lives more efficiently.

Launching the midata vision, Consumer Affairs Minister, Edward Davey said:

“Currently, most consumer data is held by service providers, meaning only one side of the customer-business relationship is empowered with the tools of information management. midata seeks to redress that balance.

“This is the way the world is going and the UK is currently leading the charge. We see a real opportunity here, but others, including the US and EU, are also showing real interest in the programme and the economic benefits it can deliver. So if we want to continue leading the way, we need to develop a platform upon which the innovation and services that drive growth can be built. midata aims to do just that.

“I’m delighted that so many organisations are supporting our vision and I look forward to working with them closely as the programme progresses.”

The midata programme marks a non-regulatory approach to consumer empowerment and is in keeping with the Government’s broader focus on transparency and openness.

The next step will include setting time lines and developing online ‘personal data inventories’ (PDIs) in each sector, which will describe the types of data an organisation holds about each customer.

Protocols will also be established to handle any issues relating to privacy, data security and consumer protection. midata is also working with companies to develop common approaches that will allow customers to access their data including their contact details, current tariffs and contracts, etc and update basic information about themselves.

The PDI and access work will precede the release of data back to customers in an electronic format. The goal is to enable the first releases in the first half of 2012.

Businesses and organisations that have so far committed to working in partnership with Government to achieve the midata vision are:

  • Avoco Secure
  • billmonitor
  • British Gas
  • Callcredit
  • EDF Energy
  • E.ON
  • Garlik
  • Google
  • Lloyds Banking Group
  • MasterCard
  • Moneysupermarket.com
  • Mydex
  • npower
  • RBS
  • Scottish Power
  • Scottish Southern Energy
  • The UK Cards Association
  • Three
  • Visa

The other organisations involved are made up of government agencies and consumer groups

The Government’s vision for midata
Consumer Data Empowerment midata is a voluntary partnership between the UK Government, businesses, consumer groups, regulators and trade bodies to create an agreed, common approach to empowering individuals with their personal data.

midata recognises and supports the principle of individuals using their own customer information to gain an insight into their own behaviour, make more informed choices and better decisions, to manage their affairs more efficiently, and to obtain the products and services that best meet their needs.

midata is part of the Government’s growth agenda. It will help achieve economic growth by improving information sharing between organisations and their customers, sharpening incentives for businesses to compete keenly on price, service and quality, building trust and facilitating the creation a new market for personal information services that empower individuals to use their own data for their own purposes.

Organisations can help realise the goals of midata by providing customers with the ability to access and re-use their ‘customer data’ – including data about customer transactions, interactions and usage behaviours that organisations collect.

The aim of the midata project is for organisations that collect, store and use customer data to endorse and work towards the following goals and principles.

Organisations collecting, using and holding customer data should:

Maintain and make available to customers accurate and up-to-date descriptions of the types of personal data they hold about these customers. (Consumer Data Transparency)

Develop, support and promote ways to release customers’ data back to them in a safe, privacy-friendly, portable and re-usable manner. This data should be made available to them online for free and to use as they see fit. (Consumer Data Access) minimise risks of data breaches and invasions of privacy.  This includes

a) working to ensure that all personal information is accessed and released safely and securely

b) helping to create a personal data environment that enables individuals to hold, use and share their data in ways they understand and can trust, which protects their interests and empowers them to use their data for their own purposes. (Consumer Data Security) • work with other organisations via the midata project to encourage the innovation of new consumer information services that deliver midata goals. (Consumer Data Innovation)

Consumer Data principles

The following principles will guide the project:

  1. Data that is released to customers will be in reusable, machine-readable form in an open standard format.
  2. Consumers should be able to access, retrieve and store their data securely.
  3. Consumers should be able to analyse, manipulate, integrate and share their data as they see fit – including participating in collaborative or group purchasing.
  4. Standardisation of terminology, format and data sharing processes will be pursued as far as possible across sectors.
  5. Once requested, data will be made available to customers as quickly as possible.
  6. The focus will be to provide information or data that that may be actionable and useful in making a decision or in the course of a specific activity.
  7. Organisations should not place any restrictions on or otherwise hinder the retention or reuse of data.
  8. Organisations will work to increase awareness amongst consumers of the opportunities and responsibilities that arise from consumer data empowerment.
  9. Organisations will provide customers with clear explanations of how the data was collected and what it represents, and who to consult if problems arise.

.

PCI Security Standards Council adds PCI PIN Security requirements to PTS standard

The PCI Security Standards Council (PCI SSC)  has announced that the Council is expanding the PTS standards to encompass the PCI PIN Security Requirements, formerly administered by Visa and MasterCard, to provide organizations with one set of criteria for the protection of PIN data.

After officially taking over management of the requirements earlier this year, the PCI SSC solicited feedback from the PCI community to make updates to the standard. Today’s release contains a complete set of reqirements for the secure management, processing and transmission of personal identification number (PIN) data at ATMs, and attended and unattended point-of-sale (POS) terminals. The PIN Security Requirements will be included in current PTS security requirements.

The updated PTS program requirements and detailed listing of approved devices are available on the Council’s website here.

“Point of sale continues to be a security hotspot as criminals are using more advanced techniques to steal PIN and cardholder data,” said Bob Russo, general manager of the PCI Security Standards Council. The requirements are specifically geared toward protecting not just the devices that accept PINs but also the people and processes surrounding them.”

The PCI PIN Security Requirements provide one set of criteria for protection of Primary Identification Number (PIN) data. For merchants – examples of common vulnerabilities for PIN theft that the requirements address include:

  • PINs that are not protected by a secure PIN block
  • Failure to use approved cryptographic devices for PIN processing
  • Cryptographic keys that are non-random, not unique, and never change
  • Few, if any documented PIN-protection procedures
  • Audit trails or logs that are not maintained

“With this addition to the PTS requirements, we hope to strengthen POS security at merchants around the globe,” noted Russo.

The Council will also host a Webinar for Participating Organizations and the public outlining the newest updates to the PIN Transaction Security program, including the PIN Security Requirements, followed by a live Q&A session.

Register for the November 8 session here.

Register for the November 10 session here

.

Comparison Of Cost Of Ownership Between In-House And Managed Pay

Firmenkarten
Image via Wikipedia

Interesting article comparing two payment methods a Merchant could choose.

It is written by a managed Payments Provider but tries to deliver the assumptions and figures as accurately as it can.

“The objective of this study is to compare an in-house supported credit/debit card EMV (Europay,MasterCard and Visa) Chip & PIN and PCI-DSS(Payment Card Industry Data Security Standard) accredited payment solution with a managed outsourced payment service solution provided by YESpay through a comprehensive financial model analysis, consisting of cost-of-ownership and cash-flow analysis.

Cost-of-ownership and cash-flow analysis provides a good base for comparing the financial propositions of the two payment solutions, namely, in-house and managed. Combining this with the intangible costs and benefits of the two systems gives a complete comparative analysis.

The result of this study shows that by outsourcing their payment solution to a third party payment service provider, mid- to top-tier retailers can save more than 50% on cost of ownership of their payment solution depending on size of the POS till requirements.”

Access the white paper here Comparison Of Cost Of Ownership Between In-House And Managed Pay registration required and was written by Vivek Singh

For more information on PCI DSS visit the PCI Resouce centre here

.

CyberSource Brings World’s Largest Fraud Detection Radar to Online Merchants

CyberSource, a Visa company (NYSE: V), today announced availability of the world’s largest real-time fraud detection radar, empowering online merchants to pinpoint fraud faster, more accurately, and with less manual intervention.

This advance enables merchants to conduct more accurate analyses of their inbound orders, including comparison of those orders to the over 60 billion transactions Visa and CyberSource process annually, including orders that were confirmed to be fraudulent.

Data insight derives from transactions across multiple payment types and from merchants worldwide, spanning online, call center, mobile and POS sales channels. The transaction data is supplemented by 200 validation and correlation tests. This solution effectively expands the depth and breadth of transaction pattern visibility.

The new development comes at an opportune time.  

  • eCommerce merchants say fraud became more sophisticated and harder to detect in 2010, and this challenge is likely to grow. Download the CyberSource 2011 Fraud Report here 
  • 90% of online thieves are now associated with organized crime. Details of Fraud patterns can be found here
  • botnet” infections are growing at a rate of approximately 200,000 per day.  Download “10 Botnet Questions” White Paper here

The ability to accurately detect fraud in such a sophisticated criminal environment requires correlating vast amounts of information to detect subtle anomalies.

Data is the lifeblood of fraud detection,” said Michael Walsh, CyberSource President and CEO. “When Visa acquired CyberSource, one of the stated goals was to deliver a new level of fraud prevention to online merchants, enabled by our end-to-end view of electronic transactions, worldwide. We are now delivering exactly that.”

Read the full PRnewswire press release here

Benefits of PCI Compliance – direct and indirect

Credit cards
Image via Wikipedia

Many Merchants see the Payment Card Industry’s Data Security Standard (PCI DSS) as an expense they could do without. 

The counter argument is most businesses would struggle if nothing was done to tackle Credit Card Fraud because the Credit Card companies would need to charge Merchants a higher transaction rate to cover their losses. 

So, what other reasons could there be for becoming PCI Compliant? 

The answer very much depends on your business type and the loyalty of your customers and prospective customers. 

Some very good reasons for becoming PCI compliant are listed below.

Continue reading “Benefits of PCI Compliance – direct and indirect”

PCI SSC Board of Advisors 2011 elections are now open

The PCI SSC Board of Advisors elections for 2011 to 2013 are now open.

All Participating PCI SSC organisations can vote. Votes close 08 April 2011. The votes will decide the composition of the Board of Advisors for the next 2 years.   A complete list of the candidates is below:

Financial Institution – 3 votes

  • Australia and New Zealand Banking Group Limited (ANZ)
  • Bank of America
  • Bank of America Merchant Services
  • Banrisul S.A.
  • BARCLAYCARD
  • Citi
  • JPMorgan Chase & Co.
  • SIX Multipay
  • WorldPay (UK) Ltd 

Merchant – 3 votes

  • Allstate Insurance Company
  • British Airways
  • CHS Inc.
  • CVS Caremark
  • Exxon Mobil Corporation
  • FedEx
  • Hawaiian Airlines
  • HMSHost
  • Intuit Inc.
  • Loves Travel Stops & Country Stores, Inc.
  • McDonald’s Corporation
  • National Association of College and University Business Officers
  • Starbucks Coffee Company
  • Tesco Stores Limited
  • The Walt Disney Company
  • VF Corporation
  • Wal-Mart Stores, Inc.
  • Woolworths Limited 

Processor – 3 votes

  • Cielo
  • DirectCash Payments Inc.
  • Elavon
  • First Data Corporation
  • Fiserv
  • Global Payments Inc. (NYSE:GPN)
  • Heartland Payment Systems
  • Litle & Co.
  • Merchant Warehouse
  • Mercury Payment Systems
  • Moneris Solutions
  • Payment Processing Inc
  • Point International (Point Group)
  • Sage Payment Solutions
  • The SHAZAM Network
  • TSYS 

Vendor – 3 votes

  • Agilysys
  • ATX Innovation
  • Cisco
  • Citrix Systems, Inc.
  • Convergys
  • Datapipe
  • Fico
  • Hypercom Corporation
  • Ingenico
  • Mako Networks
  • MICROS Systems, Inc.
  • nuBridges, Inc.
  • Panasonic Avionics Corporation
  • Reliant Security
  • RSA
  • Shift4 Corporation
  • Vanguard Integrity Professionals
  • VeriFone Systems, Inc.
  • Voltage Security 

Other – two votes

  • Apriva
  • CARTES BANCAIRES
  • Envision Telephony Inc.
  • European Payments Council
  • IATA
  • Interac Association
  • Network Frontiers (the Unified Compliance Framework)
  • Payment Alliance International
  • Paypal
  • RSPA – Retail Solutions Providers Association
  • The UK Cards Association
  • Vendorcom
  • VigiTrust Ltd
  • Wright Express

 Data supplied by VeriTape.

Fraud losses drop on UK cards, cheques and online banking

The UK Card Association reports that fraud losses over 2010 in the UK on cards, cheques and online backing has dropped against 2009 figures.

Total fraud losses on UK cards fell to £365.4 million in 2010 – a 17 per cent reduction compared with losses in 2009. This is the lowest annual total since 2000 and follows on from a fall of 28 per cent in 2009. This current downward trend is due to the banking industry’s ongoing investment to deter, detect and prosecute fraudsters.  Initiatives include: better awareness amongst retailers about how to protect their chip and PIN equipment from criminal attack; greater sign-up to online fraud prevention initiatives such as MasterCard SecureCode and Verified by Visa by cardholders and retailers; improved industry sharing of fraud data and intelligence; increasing use of fraud detection tools by banks and retailers; the increasing roll-out of chip and PIN abroad and the upgrade of chips on UK cards.

Online banking fraud losses totalled £46.7 million in 2010a 22 per cent fall on the 2009 figure. Factors contributing to this fall include customers better protecting their own computers with up-to-date anti-virus software combined with banks’ use of sophisticated fraud detection software. This decrease has occurred despite a continuing rise in phishing attacks, up 21% from 2009.

Phone banking fraud losses totalled £12.7 million during 2010, an increase of five per cent from 2009. Most losses involve customers simply being tricked into disclosing their personal security details – through cold calling or fake emails – which the criminal then uses to commit fraud. This suggests that some customers are still not aware that their bank will never cold call or email them to ask for login details and passwords.

Cheque fraud losses decreased from £29.8 million in 2009 to £28.9 million during 2010. The vast majority of attempted fraud gets stopped before the cheque is paid. The industry’s ongoing work to prevent cheque fraud has helped drive these losses down. The continuing drop in cheque usage has also contributed to the three per cent fall in overall cheque fraud losses.

Detective Chief Inspector Paul Barnard, Head of the Dedicated Cheque and Plastic Crime Unit (DCPCU) – the industry-sponsored specialist police unit that tackles the organised criminal gangs behind fraud – comments: 

“Whilst another drop in fraud is good news, the fraudsters haven’t shut up shop which is why there can be no room for complacency on the part of the banking industry, retailers, law enforcement or indeed customers themselves.  By taking simple steps, such as:  shielding our PIN with our free hand whenever we enter it, particularly at cash machines; being wary of unsolicited emails or calls; and making sure that our computers have regularly updated anti-virus software in place, we can make life harder for the criminals.

“Fortunately in the UK – unlike some other countries – innocent victims of any type of payment fraud on their debit or credit card or account are protected and should not suffer any financial loss.”

Melanie Johnson, Chair of The UK Cards Association, which represents UK credit and debit card providers said:

“The cards industry is greatly encouraged by the major decrease in card fraud losses for a second successive year, but we will not be easing off our efforts as a result. It is essential to us that customers feel safe and secure when they use their cards and we will continue to invest in a wide range of fraud prevention initiatives to keep it this way.”

Fraud figures released by the National Fraud Authority (NFA) earlier in the year also serve to put these banking fraud losses into perspective. The NFA estimated that fraud in all its guises costs the UK more than £38 billion a year – card and banking fraud accounts for just over one per cent of this figure.

Details of the figures from 2007, 2008, 2009 and 2010 compare can be found here http://www.theukcardsassociation.org.uk/media_centre/press_releases_new/-/page/1323/

Where do security breaches occur? What type of data is stolen and who makes the discovery?

Credit card
Image via Wikipedia

Trustwave has published its Global Security Report 2011 and it has some very interesting research.

The research is from incidents investigated by the company. Specifically, a total of 220 investigations, undertaken against suspected breaches, 85% were confirmed with 90% resulted in data theft.

The headline statistics are:

Industry breakdown of where the incident happened

  • Food and beverage   57%
  • Retail   18%
  • Hospitality   10%
  • Government   6%
  • Financial   6%
  • Education   1%
  • Entertainment   1%
  • Construction   1%

 Types of Data stolen

  • Payment Card Data   87%
  • Sensitive company data   8%
  • Trade Secrets   3%
  • Authentication Credential   2%
  • Customer records   2%

It could be that Trustwave is a Payment Card Industry Forensics and Incident Investigator or it is further proof, if we needed it, that the bad guys are after the money.

Who found out that there had been an incident?

  • Regulatory detection   60%
  • Self detection   20%
  • Public detection   13%
  • Law enforcement   7%

Is it any wonder why the credit card issuers are strictly enforcing Payment Card Industry Data Security Standards (PCI DSS) when Merchants find 1 in 5 Account Data Compromises (ADC), also known as a breach.

Previous research found that the majority of cards are used in multiple frauds.

Merchants come out on top in the time to detect a breach

  • Regulatory detection  156.5 days
  • Public Detection   87.5days
  • Law Enforcement   51.5 days
  • Self Detection   28 days

This is interesting, 1 in 5 breaches were found first by a Merchant which means the majority of breaches take over 100 days to be discovered.

Trustwave www.trustwave.com

Card Payments Roadmap in the U.S.: How Will EMV Impact the Future Payments Infrastructure? – Smart Card Alliance

Close up of contacts on a Smart card with sign...
Image via Wikipedia

The EMV specification defines technical requirements for bank cards with embedded microchips and for the accompanying point-of-sale (POS) infrastructure. With few exceptions (primarily in the United States), financial institutions worldwide issue EMV bank cards to businesses and consumers.

According to EMVCo, approximately 1 billion EMV cards have been issued globally and 15.4 million POS terminals accept EMV cards. The primary purposes of including a chip in a bank card are to store cardholder data securely, protect data stored on the chip against unauthorized modification, and reduce the number of fraudulent transactions resulting from counterfeit, lost, and stolen cards.

Smart Card Alliance website

Smart Card Alliance White Paper: Card Payments Roadmap in the U.S.: How Will EMV Impact the Future Payments Infrastructure?

Blog at WordPress.com.

Up ↑

%d bloggers like this: